SQL injection (also known as SQL fishing) is a
technique often used to attack data driven applications.

This is done by including portions of SQL
statements in an entry field in an attempt to get the website to pass a
newly formed rogue SQL command to the database (e.g., dump the database
contents to the attacker). SQL injection is a code injection technique that
exploits a security vulnerability in an application's software.

The vulnerability happens when user input is
either incorrectly filtered for string literal escape characters embedded in
SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.

What is cURL?

cURL stands for "Client URL Request Library".

This is a command line tool for getting or
sending files using URL syntax.

Burp Suite is a Java application that can
be used to secure or crack web applications. The suite consists of
different tools, such as a proxy server, a web spider, an intruder and a
so-called repeater, with which requests can be automated.

When Burp suite is used as a proxy server
and a web browser uses this proxy server, it is possible to have control
of all traffic that is exchanged between the web browser and web
servers. Burp makes it possible to manipulate data before it is sent to
the web server.

Note:
This is not absolutely necessary, but if you are a computer security
student or professional, you should have a BackTrack VM.

Lab
Notes

In this lab we will do the following:

Due to a purposely bug in the user-info.php
code, we will use a Union SQL Injection to obtain nowasp
application pretend credit card information.

We will use Burpsuite to capture the
POST DATA string.

We will use curl to simulate web
browsing without using a web browser.

We will use simple perl program to
parse the curl results.

Legal Disclaimer

As a condition of your use of this Web
site, you warrant to computersecuritystudent.com that you will not use
this Web site for any purpose that is unlawful or
that is prohibited by these terms, conditions, and notices.

In accordance with UCC § 2-316, this
product is provided with "no warranties, either express or implied." The
information contained is provided "as-is", with "no guarantee of
merchantability."

In addition, this is a teaching website
that does not condone malicious behavior of
any kind.

You are on notice, that continuing
and/or using this lab outside your "own" test environment
is considered
malicious and is against the law.

UNION is used to combine the result
from multiple SELECT statements into a single result set.

The UNION operator is ALSO used in SQL
injections to join a query, purposely forged by the tester, to the
original query. The result of the forged query will be joined to the
result of the original query, allowing the tester to obtain the
values of fields of other tables.

We will later use this technique in
(Section 14, Step 4).

Section 8: Start Web
Browser Session to Mutillidae

On BackTrack, Open Firefox

Instructions:

Click on the Firefox Icon

Notes (FYI):

If FireFox Icon does not exist in the Menu
Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

So lets put the pieces together.
Imagine a web crawler that does nothing but curl webpages for the
string "form" that have this particular UNION
vulnerability. If the string "form" is found, then try
a simple UNION SQL injection like (' union null-- ). Then it
would recursively append null to the end of the union clause until,
no more SQL errors are present.

Section 18: Restore Firefox Original Proxy Configurations

On BackTrack, Open Firefox

Instructions:

Click on the Firefox Icon

Notes (FYI):

If FireFox Icon does not exist in the
Menu Bar Tray, then go to Applications --> Internet --> Firefox Web
Browser

Firefox Preferences

Instructions:

Edit --> Preferences

Advanced Settings...

Instructions:

Click on the Advanced Icon

Click on the Network Tab

Click on the Setting... button

Connection Settings

Instructions:

Click on the No proxy radio button

Click on the OK button

Click on the Close button

Section 19:
Proof of Lab

Proof of Lab, (On a BackTrack Terminal)

Instructions:

cd /root

ls -l lesson8.txt

./lesson8.pl | head -3

date

echo "Your Name"

Replace the string "Your Name" with
your actual name.

e.g., echo "John Gray"

Proof of Lab Instructions

Press both the <Ctrl> and <Alt> keys at
the same time.

Do a <PrtScn>

Paste into a word document

Upload to Moodle

Help ComputerSecurityStudentpay for continued research, resources & bandwidth